F-Secure
Tools
Worm:W32/Welchi
Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Disinfection
Disinfection Tool
F-Secure provides a special tool to disinfect the Welchi worm. The tool and disinfection instructions are available at:
Please, note that this worm creates a Service activating the legitimate windows tftp server. This Service won't be stopped, and the legitimate (although renamed) tftp server won't be deleted using F-Secure Anti-Virus disinfection capabilities alone.
To remove the service, use the disinfection tool. The renamed server can be manually deleted from the machine. Its location has been previously given in this description.
Disinfection
Tthe worm will stop working when the computer's clock is set to 2004. This feature can be used to remove the worm from the computer. This can be automated with the date and the shutdown commands, for example:
F-Secure provides a special tool to disinfect the Welchi worm. The tool and disinfection instructions are available at:
- ftp://ftp.f-secure.com/anti-virus/tools/f-welchi.zip
- ftp://ftp.f-secure.com/anti-virus/tools/f-welchi.txt
- ftp://ftp.f-secure.com/anti-virus/tools/f-welchi.exe
- ftp://ftp.f-secure.com/anti-virus/tools/f-welchi.jar
Please, note that this worm creates a Service activating the legitimate windows tftp server. This Service won't be stopped, and the legitimate (although renamed) tftp server won't be deleted using F-Secure Anti-Virus disinfection capabilities alone.
To remove the service, use the disinfection tool. The renamed server can be manually deleted from the machine. Its location has been previously given in this description.
Disinfection
Tthe worm will stop working when the computer's clock is set to 2004. This feature can be used to remove the worm from the computer. This can be automated with the date and the shutdown commands, for example:
- DATE 01-01-2004
- SHUTDOWN -r
Additional Details
Worm:W32/Welchi is an unusual malware in that it attempts to disinfect the computer system from Worm:W32/Lovsan infections. It also attempts to patch a vulnerability used by the Lovsan worm to propagate.
The virus code contains the following text string, which is never displayed:
Welchi was first reported on August 18th 2003. Tthe worm will stop working when the computer's clock is set to 2004.
Infection
Welchi only infects Windows XP machines through the RPC hole used by the Lovsan worm.
In addition, Welchi will attempt to infect IIS 5.0 web servers via WebDAV exploit. For more on this vulnerability found in March 2003, see http://www.microsoft.com/technet/security/bulletin/MS03-007.asp.
This variant uses files named DLLHOST.EXE and SVCHOST.EXE. Note that these are names of normal Windows system files.
On infection, the worm drops files at the following locations:Â
Activity
Unlike most worms, Welchi's effects on the infected system appear to be beneficial. When active, it attempts to disinfect Lovsan.A from the machine by looking for a process with the strings "msblast" in its name (a Lovsan characteristic) and terminating the process if found. It will then delete the file %systemdir%\msblast.exe, Lovsan's executable copy.
Welchi also attempts to download the Microsoft patch for closing the RPC vulnerability, and tries to download the patch from eight different URLs, corresponding to four language versions (English, Chinese, Simplified Chinese and Korean) for both Windows XP and 2000. This patch routine is not always successful and on clearing Welchi from the machine it is recommended that the patch be checked according to instructions from Microsoft (see the section File Information at http://support.microsoft.com/?kbid=823980).
Registry
When run, Welchi will create a mutex named "RpcPatch_Mutex", to ensure that only one active copy of the worm is ever run.
The worm does not modify the Windows Registry to launch itself automatically.
The virus code contains the following text string, which is never displayed:
- =========== I love my wife & baby :)~~~ Welcome Chian~~~
Notice: 2004 will remove myself:)~~ sorry zhongli~~~====
======= wins
Welchi was first reported on August 18th 2003. Tthe worm will stop working when the computer's clock is set to 2004.
Infection
Welchi only infects Windows XP machines through the RPC hole used by the Lovsan worm.
In addition, Welchi will attempt to infect IIS 5.0 web servers via WebDAV exploit. For more on this vulnerability found in March 2003, see http://www.microsoft.com/technet/security/bulletin/MS03-007.asp.
This variant uses files named DLLHOST.EXE and SVCHOST.EXE. Note that these are names of normal Windows system files.
On infection, the worm drops files at the following locations:Â
- %systemDir%\wins\DLLHOST.EXE - The worm's executable file
- %systemDir%\wins\SVCHOST.EXE - The renamed tftp server
Activity
Unlike most worms, Welchi's effects on the infected system appear to be beneficial. When active, it attempts to disinfect Lovsan.A from the machine by looking for a process with the strings "msblast" in its name (a Lovsan characteristic) and terminating the process if found. It will then delete the file %systemdir%\msblast.exe, Lovsan's executable copy.
Welchi also attempts to download the Microsoft patch for closing the RPC vulnerability, and tries to download the patch from eight different URLs, corresponding to four language versions (English, Chinese, Simplified Chinese and Korean) for both Windows XP and 2000. This patch routine is not always successful and on clearing Welchi from the machine it is recommended that the patch be checked according to instructions from Microsoft (see the section File Information at http://support.microsoft.com/?kbid=823980).
Registry
When run, Welchi will create a mutex named "RpcPatch_Mutex", to ensure that only one active copy of the worm is ever run.
The worm does not modify the Windows Registry to launch itself automatically.